Check: DNS0470
BIND DNS STIG:
DNS0470
(in version v4 r1.2)
Title
A name server is not configured to only accept notifications of zone changes from a host authoritative for that zone. (Cat II impact)
Discussion
A slave updates its zone information by requesting a zone transfer from its master. In this transaction, the risk for the slave is that the response to its request is not in fact from its authorized master but from an adversary posing as the master. In this scenario, such an adversary would be able to modify and insert records into the slaves zone at will. To protect against this occurrence, the slave must be able to authenticate the master to provide assurance that any zone updates are valid.
Check Content
BIND Instruction: If all of a zone’s NS records are valid, then the default behavior in BIND complies with this requirement and does not require the DNS software administrator to take any additional action. In some cases, the DNS software administrator must implement a non-default configuration to comply with operation requirements. If this is the case, the DNS software administrator must have an understanding of the named.conf options that govern how master name servers notify other hosts of zone changes and when slave servers will accept notifications. If none of these options are selected, the resulting behavior represents an acceptable security risk. If these phrases are configured, then this is a finding. The phrases within the options statement that govern this behavior are: - notify – which turns notification on or off (defaults to on) - allow-notify – which defines from which servers a slave will accept notifications (defaults to the master name server only) Windows DNS Instruction: This check is not applicable to those Windows DNS Zones that are active directory integrated. Those zones will be replicated through active directory. For those servers running as a standard secondary zone, verify the name servers listed are only those authoritative for the zone. From the DNS management console snap-in, expand the Forward Lookup zones branch, select the zone you want to configure and right click and select Properties. Verify the entries under the Name Servers tab are only those authoritative for the zone. In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement.
Fix Text
The DNS software administrator should configure a name server to only accept notifications of zone changes from a host authoritative for that zone. Configuration details may be found in the DNS STIG.
Additional Identifiers
Rule ID: SV-4485r2_rule
Vulnerability ID: V-4485
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |